DDOS Attack Post Analysis and Introspection

There is a saying, “hindsight is 20/20″. We experience that quite a bit here at Name.com. We do a bit of armchair quarterbacking from time to time as well. Analogies aside though, we do our best to reflect and learn from any situation where it makes sense to do so. Such is the case with the recent DDOS attack that we experienced. It can be a double-edged sword to be transparent about things, but transparency is something we value a lot at our little company. It’s an important trait that we’ve learned to value as individuals as well. So when an entity attacked us with a massive DDOS attack, attempted to extort us, and continued to attack us due to not giving into the extortion, we decided to open up and let our customers know exactly what transpired. Even so, there seems to be quite a bit of misunderstanding and confusion about what really happened and how we handled the situation. We hope to clear the air through this post. We’re listening.

When a DDOS attack begins, there are a series of events that immediately start to happen. First, our system administrators and other individuals are alerted so that they can begin to deal with the situation. Their first priority is to figure out exactly what it is that is going on so that they know how to proceed. Each attack is usually different in both technique and in what is being attacked. Their second priority is to do whatever it takes to keep both our customer’s and our domain names alive and responding.

DDOS attacks are part of the landscape that we deal with everyday. Most attacks are mitigated quickly without any disruption. The risk of us requesting you to transfer your domain name due to a DDOS attack is incredibly slim – it’s happened once in our 9 year history. The scale of this attack was on a whole other level. Our infrastructure is redundant, distributed, and hosted with some of the highest end service providers that exist. All DDOS attacks are, however, not created equal. To put the size of last week’s attack in perspective for you, it was massive enough that our rather substantial upstream providers commented on its enormity as they were working with us on mitigation techniques during the time of the attack. This DDOS attack was the largest we’ve ever seen. It was a massive flood of traffic from subnets located in China specifically designed to take down our website and name servers by using more bandwidth than our network could handle. Our upstream service provider’s networks were close to being saturated. That’s a lot of packets! So many packets that information stops flowing on parts of the Internet. Overall, our DDOS mitigation techniques worked well and customer’s websites were not affected. In reflecting on our response to this incident, that’s something we’re proud of. However, our homepage and the ability for users to login and manage their domains was severely hindered.

When we received the demand to take down the domain name boxun.com and hand it over to the attackers we were also knee deep in dealing with the attack. When putting out a fire it’s never easy to think 100% clearly about what you should do versus what you need to do in order to make it out alive. Again, the number one priority was to keep our customers’ 1.5 million domain names functional, manageable, and accessible. Before taking any action regarding the domain we first contacted the registrant to notify him of the situation and to inform him of our plan of action.

Given all the balls in the air (or the packets in the pipe), at this point all we knew was that it was a Chinese site registered with us. In hindsight we realized that like all individuals, each domain is unique and therefore each attack requires a specific response. Boxun.com contains important information that is pertinent to our times. This DDOS attack both reawakened and reinforced our understanding that free speech and basic human rights can still be squelched with force, even if that force feels abstract. We did not dig deep enough, early enough, to discover the type of content this domain contained. Our actions may not have changed, but we certainly feel this was an oversight on our part.

Rather than handing the domain over to the attackers, which we never considered, we felt the best course of action was to ask the registrant to move boxun.com to another registrar. We’d like to note that the domain was not using our name servers nor our hosting services. Name.com was simply the registrar for the domain. The attackers targeted our infrastructure as a way of trying to get us to hand the domain over to them.

We’ve kicked around and discussed many of the hard questions internally. If we had known the content of the domain initially would we have taken a different stand? If so, for how long? Does it make sense to put this domain above others? If many or all of our customers were affected by this, what would have been their response? We don’t think there is a straightforward answer.

The most important thing to consider here is how we do things moving forward. We value the freedom to communicate opinions and ideas. We sincerely wish the best for boxun.com and hope that one day soon everyone’s voice can be heard without the threat of being silenced. We feel the best thing we can do is be honest and continue to be transparent.